O2 UK, a prominent telecommunications provider with nearly 23 million mobile customers as of March 2025, faced a significant security flaw in its VoLTE and WiFi Calling technologies.

Researcher Daniel Williams discovered the flaw while using the Network Signal Guru app on a Google Pixel 8, which enabled him to intercept and decode IMS signaling messages to reveal the last cell tower's location during calls.

In urban settings, the accuracy of the geolocation could pinpoint a user's location within 100 square meters, while rural areas, though less precise, still provided revealing data.

This vulnerability allowed user location data to be exposed through call metadata, raising serious privacy concerns.

The issue stemmed from the verbosity of SIP Headers exchanged during calls, which inadvertently included sensitive information such as IMSI, IMEI, and cell location data.

Notably, the flaw was not limited to the UK; it also allowed for the tracking of users internationally, including in cities like Copenhagen, Denmark.

The vulnerability had existed since March 27, 2017, but was only resolved on May 18, 2025.

O2 UK confirmed the fix on May 19, 2025, assuring customers that no action was required on their part to secure their information.

Williams attempted to report the issue to O2 UK on March 26 and 27, 2025, but initially received no response from the company.

BleepingComputer reached out to O2 UK for clarification on whether the flaw had been exploited or if customers would be informed, but did not receive a response.